Computers have become an integral tool used in a wide variety of different applications, such as in finance and commercial transactions, computer-aided design and manufacturing, health-care, telecommunication, education, etc. Computers are finding new applications as a result of advances in hardware technology and rapid development in software technology. Furthermore, a computer system's functionality is dramatically enhanced by coupling stand-alone computers together to form a computer network. In a computer network, users may readily exchange files, share information stored on a common database, pool resources, and communicate via e-mail and via video teleconferencing.
In order to be connected to a network, a user typically has to go through a “log-in” process where the user proves himself as an authorized user of the network resources. Proving that a network user is allowed to access a network and/or network resources is a problem that has been addressed in the past by requiring a username and password to be entered by the requester, which is then sent over the network and verified to match the same information stored by a server on the network. When the channel is relatively secure, as it is in wired networks such as ethernet, that method works well. However, this method relies on an unstated assumption that the network over which the user sends the username and password is actually the network that the user is expecting to be using and that the network does not need to prove its identity.
That assumption fails when the network is not relatively secure. A wireless LAN (“Local Area Network”) is an example of an unsecured network. In these networks, there is not an easily scrutinized physical connection upon which the user can rely. To provide the user with some assurance that the network that is being used is the one the user expects, some proof must be provided by the network of its identity. With this proof, the user can then determine whether it is prudent to offer the username and password to the network.
Further, in conventional wired networks, it is assumed that there are only authorized users and equipment connected to the network. Thus, it is relatively safe to send sensitive information (e.g., user identifiers, passwords, etc.) over a wired network “in the clear,” i.e., unencrypted and not protected in any way. For wireless LANs, unfortunately, this cannot be guaranteed. In a wireless LAN, operations in this manner would expose sensitive information to casual eavesdroppers.
Therefore, what is needed is a method and system for protecting sensitive information over unsecured channels against eavesdroppers. What is further needed is a method and system for providing assurance that the network a user is trying to access is the one the user expects.